In days where governments are checking out more and more services and demanding backdoors in messanger services it may be good to host his own messenger service.
I recently found this one and it seems to be quite easy to setup. All Information can also be found on the projects page
Git Hub Project: https://github.com/spantaleev/matrix-docker-ansible-deploy
Not all the DNS Entries are needed. For messenger only setup only the matrix, element and the _SRV one are needed. we will do them all.
needed Ports:
Port | Protocol | Usage |
---|---|---|
80 | tcp | HTTP Webserver |
443 | tcp | HTTPs Webserver |
3478 | tcp | Turn |
3478 | udp | Turn |
5349 | tcp | Turn |
5349 | udp | Turn |
8448 | tcp | Matrix Federation |
49152-49172 | udp | Turn |
needed DNS Entries:
host must be set according to your DNS provider. some only need <entry> others want <entry.domain.toplevel>
Type | host | Priority | weight | port | target |
A | matrix | <your-server-ip> | |||
SRV | _matrix-identity._tcp | 10 | 0 | 443 | <matrix.your-domain.top |
CNAME | element | <matrix.your-domain.top | |||
CNAME | dimension | <matrix.your-domain.top | |||
CNAME | jitsi | <matrix.your-domain.top | |||
CNAME | stats | <matrix.your-domain.top | |||
CNAME | goneb | <matrix.your-domain.top | |||
CNAME | sygnal | <matrix.your-domain.top | |||
CNAME | hydrogen | <matrix.your-domain.top | |||
CNAME | cinny | <matrix.your-domain.top |
Setup:
We will run the install on an debian 11 Server. Playbooks don’t need to be on the Server. the can be run from an remote machine. that is the suggested way to do. so no config files with cleartext password will reside on the server. In our example we will run everything on one Server.
the installation is by default configured to run with root. this can be changed.
documented here.
install prerequisites
sudo apt update
sudo apt upgrade
sudo apt install python3 ansible pwgen
Setup root user access with key:
generate key with user root:
$ sudo -i
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:9dzYvTU5smYvNYsigW+FKpYEiY/cWAc1Ck3w9o5SNBU matrix@VM-e640e2b1-6de2-43ca-926d-700e69ba4604
The key's randomart image is:
+---[RSA 3072]----+
| o+..E. |
| ooo . |
| .*o . |
| .o+o. . o + ..|
|. *.o. S . +.o+o|
| +.oo. . o . oo=|
| . .... o o +o.o|
| . + . + .oo.. |
| . . . . . .. |
+----[SHA256]-----+
# now we need to add the public key to the authorized_keys file
$ cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys
Now we are able to ssh from root into root with ssh key auth
Clone git repository
$ git clone https://github.com/spantaleev/matrix-docker-ansible-deploy.git
make configs
change to git directory
$ cd matrix-docker-ansible-deploy/
make directory for your configs
$ mkdir inventory/host_vars/matrix.<your-domain>
copy example configs to edit
$ cp examples/vars.yml inventory/host_vars /matrix.teichert.sh/vars.yml
$ cp examples/hosts inventory/hosts
Now we generate two Passwords. one as the matrix server secret key which is used to encrypt other stuff in matrix. and one as postgres password
We will use pwgen for this
-s -> secure. generates a totally random password (thats what the man page says ;))
64 -> length of password
2 -> how many to generate
# generate matrix and postgres secret
$ pwgen -s 64 2
L0KYiXz2IYpaWNHQxwSEZLOvGiMTIo7ELRwtKGoyVpuvPXCAC7MXeIbAABr0wR61
vXeNlsnaolAKEramzgXHFfJM8cIo3YTQ4XWreTVhQJSJM1Tqp633CTfZKc7ShNM0
now we edit the vars.yml config file
# open file for writing
$ vim inventory/host_vars/matrix.<your-domain>/vars.yml
Edit the config as following
---
# The bare domain name which represents your Matrix identity.
# Matrix user ids for your server will be of the form (`@user:<matrix-domain>`).
#
# Note: this playbook does not touch the server referenced here.
# Installation happens on another server ("matrix.<matrix-domain>").
#
# If you've deployed using the wrong domain, you'll have to run the Uninstalling step,
# because you can't change the Domain after deployment.
#
# Example value: example.com
matrix_domain: <your-domain>
# The Matrix homeserver software to install.
# See `roles/matrix-base/defaults/main.yml` for valid options.
matrix_homeserver_implementation: synapse
# A secret used as a base, for generating various other secrets.
# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
matrix_homeserver_generic_secret_key: 'L0KYiXz2IYpaWNHQxwSEZLOvGiMTIo7ELRwtKGoyVpuvPXCAC7MXeIbAABr0wR61'
# This is something which is provided to Let's Encrypt when retrieving SSL certificates for domains.
#
# In case SSL renewal fails at some point, you'll also get an email notification there.
#
# If you decide to use another method for managing SSL certificates (different than the default Let's Encrypt),
# you won't be required to define this variable (see `docs/configuring-playbook-ssl-certificates.md`).
#
# Example value: [email protected]
matrix_ssl_lets_encrypt_support_email: '<your-mail-address>'
# A Postgres password to use for the superuser Postgres user (called `matrix` by default).
#
# The playbook creates additional Postgres users and databases (one for each enabled service)
# using this superuser account.
matrix_postgres_connection_password: 'vXeNlsnaolAKEramzgXHFfJM8cIo3YTQ4XWreTVhQJSJM1Tqp633CTfZKc7ShNM0'
Now we need to edit the hosts file. so it fits our setup.
vim inventory/hosts
Edit the string to look as following
# We explicitly ask for your server's external IP address, because the same value is used for configuring Coturn.
# If you'd rather use a local IP here, make sure to set up `matrix_coturn_turn_external_ip_address`.
#
# To connect using a non-root user (and elevate to root with sudo later),
# replace `ansible_ssh_user=root` with something like this: `ansible_ssh_user=username become=true become_user=root`
#
# For improved Ansible performance, SSH pipelining is enabled by default in `ansible.cfg`.
# If this causes SSH connection troubles, disable it by adding `ansible_ssh_pipelining=False`
# to the host line below or by adding `ansible_ssh_pipelining: False` to your variables file.
#
# If you're running this Ansible playbook on the same server as the one you're installing to,
# consider adding an additional `ansible_connection=local` argument to the host line below.
#
# Ansible may fail to discover which Python interpreter to use on the host for some distros (like Ubuntu 20.04).
# You may sometimes need to explicitly add the argument `ansible_python_interpreter=/usr/bin/python3`
# to the host line below.
[matrix_servers]
matrix.<your-domain> ansible_host=<external-ip-address> ansible_ssh_user=root
Now everything is ready for install the the application. The cool thing about ansible is that the playbooks are idempotent and can be run again and again and will only change what was changes
ansible-playbook -i inventory/hosts setup.yml --tags=setup-all
now all the playbooks will run for 5 – 10 minutes and none should show failed at the recap.
PLAY RECAP ******************************************************************************************************************************************************************
matrix.<your-domain> : ok=221 changed=5 unreachable=0 failed=0 skipped=1696 rescued=0 ignored=0
Start all services
ansible-playbook -i inventory/hosts setup.yml --tags=start
check the recap. nothiing should fail
PLAY RECAP ******************************************************************************************************************************************************************
matrix.<your-domain> : ok=22 changed=2 unreachable=0 failed=0 skipped=193 rescued=0 ignored=0
Now the Server is up and running. user registration is by default disabled.
we can access https://element.<your-domain> to verify if everything looks good. Element is the Web Interface for matrix.
now we need to create a user for login
There are two ways to create a user.
You can use ansible or via CLI on the Server
ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=<your-username> password=<your-password> admin=<yes|no>' --tags=register-user
OR
/usr/local/bin/matrix-synapse-register-user <your-username> <your-password> <admin access: 0 or 1>
Now we should be able to login with the user in the element UI.
By default the setup federates with the whole matrix network.
To disable this add the following to inventory/host_vars/matrix./vars.yml
matrix_synapse_federation_enabled: false
To share your public rooms to the whole matrix network add the following to inventory/host_vars/matrix./vars.yml
matrix_synapse_allow_public_rooms_over_federation: true
in either case you have to rerun the install routine
ansible-playbook -i inventory/hosts setup.yml --tags=setup-all
Gratulations. Your own messaging server is now up and running and can be used for messaging in browser and mobile app.
more articles about the other functions will follow.